CVE-2026-43890
Received Received - Intake
Authorization Bypass in Outline Documentation Platform

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization pattern. When both collectionId and documentId are supplied in the request, the route handler authorizes ONLY the collection branch (line 125 if (collectionId)), while the downstream subscriptionCreator command at server/commands/subscriptionCreator.ts writes the subscription against the documentId (which was never validated). The result is a subscription record pinning the attacker's user to a victim document the attacker has no read access to, on any team in the instance. The schema (server/routes/api/subscriptions/schema.ts) only enforces "at least one of collectionId/documentId" via .refine() β€” it does NOT enforce mutual exclusivity, so passing both is a valid, schema-conforming request. This vulnerability is fixed in 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-43890
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
outline subscriptions From 0.84.0 (inc) to 1.7.1 (exc)
outline subscriptions to 1.7.0 (inc)
outline subscriptions 1.7.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Outline service versions 0.84.0 to 1.7.0, specifically in the subscriptions.create API endpoint. When a request includes both collectionId and documentId, the system only authorizes the collectionId but not the documentId. As a result, the subscription is created for the documentId without proper authorization checks, allowing an attacker to subscribe to a document they do not have read access to.

The schema allows requests with both collectionId and documentId, but does not enforce that only one should be present, which contributes to the issue. This flaw enables an attacker to link their user to a victim's document on any team within the instance without proper permission.

This vulnerability was fixed in version 1.7.1.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows an attacker to create a subscription record linking their user account to a document they do not have read access to, potentially exposing sensitive information.

Such unauthorized access to protected documents could lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Therefore, this broken authorization pattern may result in non-compliance with these standards due to unauthorized data exposure.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with limited privileges to subscribe to documents they are not authorized to access. This means the attacker can gain indirect access or visibility to sensitive documents belonging to other users or teams.

Such unauthorized subscriptions could lead to information disclosure or privacy violations, as the attacker is linked to victim documents without proper read permissions.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Outline version 1.7.1. The immediate step to mitigate this vulnerability is to upgrade the Outline service to version 1.7.1 or later.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart